Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:02, on 2009-06-29
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\BTModemProtection.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [BTModemProtection] BTModemProtection.lnk
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 4702 bytes

Hi and Welcome,

NOTE:

• Malware removal is NOT instantaneous, most infections require more than one round to properly eradicate.
• Absence of symptoms does not always mean the job is complete, you can be certain that I will advise you when the computer is clean.
• Kindly follow my instructions in the order posted.
• Please DO NOT run any scans or fix items without my direction.

Please do the following:

STEP #1

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txt's will open.
• Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.



STEP #2




Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following …
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
• Save it where you can easily find it, such as your desktop and attach it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




.

DDS (Ver_09-06-26.01) - NTFSx86
Run by bob at 7:22:50.70 on 2009-07-01
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2036.1194 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\BTModemProtection.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\rundll32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\bob\Desktop\dds.pif
C:\Users\bob\Desktop\dds.pif

============== Pseudo HJT Report ===============

uSearch Page =
uSearch Bar =
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
mRun: [BTModemProtection] BTModemProtection.lnk
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

Hello. I tried to copy the gmer rootkit thingy but was unable to it said it was in clip board but I could not find it anywhere.

Hello. I have had to write the rootkit log down hear it is
Type Value
attached D... \filesystem\fastfat\fat flt.sys (microsft file system filter
attached D...\driver\tdx\device\lp avgdix.sys (avg network connection
attached D...\ " \ " \ " \tcp " " " " "
attached D...\ " \ " \ " \ udp " " " " "
attached D... \ " \ " \ " \ rawlp " " " " "
I am sorry for being so long winded but even the print screen does not seem to work hence the manual typing for some reason the value does not appear on this reply if you can use the edit button it is there.

Hi,

Most of the DDS log appears to be missing from your post. the Attach.txt is not there either.

If you are having trouble copy/pasting into the thread can you please try zipping up the logs and attaching them

Hello. I am of limited experience is there any chance that you could guide me through it.
bob.

Hi,

By all means. Please let me know if anything is unclear and I will try to make it more clear for you. Please don't worry about this, I am here to help you through it in any way that I can. We can go over things as many times as necessary.

Please locate the file on your desktop called DDS.txt if you did not save this file directly to your desktop then you will find it in the DDS folder that is on your desktop

open DDS.txt by double clicking it.

A notepad file will open.

On the top row of notepad locate the "Edit'" button. Press 'Edit" > Now press "Select All' you will notice all of the text in notepad is now highlighted.

Using the right button on your mouse > right click anywhere on that highlighted text a menu will open > with the left mouse button select "copy" from that menu.

what that does is put the text on an "unseen clipboard" It is the computers way of remembering that text for use later.

Now come to this topic and choose the ADD REPLY button. An empty window pane will open.

Using the right button on your mouse again > right click any where in the empty pane. A menuwill open. Now with the left mouse button select "paste"

The previously 'copied' text will now paste into this topic.


That should work as long as you chose the 'select all' button in notepad, I should receive all the text.



If for some reason you cannot get this to work then I would ask you to do the following.

Press the add reply button in this thread.

A window pane opens. Underneath this window pane to the right of the screen, you will notice an additional box.

One says Manage Current Attachments, the other says Browse, then beside that is an "Upload" button.

Press the browse button > A "file upload" window pane will open.

On the top row it says "look in" with a box....hopefully the location inside the box already says "Desktop"
If the location says anything but "desktop" > on the right side of the box is a small arrow > press the small arrow > from the drop down menu that appears > choose "desktop" with your left mouse button.

Now underneath that in the window pane a list of all the items located on your desk top will show.

Locate the DDS.txt file > double click your left mouse button on the DDS.txt file

you will now notice that the location of DDS.txt has been put into the "browse box" >

Now click the green Upload button

Once the file has uploaded, click the Manage Current Attachments drop down box

Click on to insert the attachment into your post


Then choose Add reply and the attached document will appear in your post.

Thank-you

CB

try that with the GMER text also.

let me know how you get on.

Hello Doug. Can you please repost the link for dds and the rootkit thing. One last thing can you keep it as simple as possible.
bob.

Hello Doug. I 've become a bit confused alreadyis this what you need.
DDS (Ver_09-06-26.01) - NTFSx86
Run by bob at 7:22:50.70 on 2009-07-01
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2036.1194 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\BTModemProtection.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\rundll32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\bob\Desktop\dds.pif
C:\Users\bob\Desktop\dds.pif

============== Pseudo HJT Report ===============

uSearch Page =
uSearch Bar =
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
mRun: [BTModemProtection] BTModemProtection.lnk
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\bob\appdata\roaming\mozilla\firefox\profiles\pw03ouua.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/firefox
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=1665&gct=&gc=1&q=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-11 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-18 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-18 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-18 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-18 298776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-9 210216]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-6-11 348752]
R3 ModemProtection;ModemProtection;c:\windows\system32\ModemProtection.sys [2005-5-15 13157]
S4 FQXPEFL;FQXPEFL;c:\users\bob\appdata\local\temp\fqxpefl.exe --> c:\users\bob\appdata\local\temp\FQXPEFL.exe [?]
S4 HFJCDPT;HFJCDPT;c:\users\bob\appdata\local\temp\hfjcdpt.exe --> c:\users\bob\appdata\local\temp\HFJCDPT.exe [?]

=============== Created Last 30 ================

Hello Doug. I think I have finally got it fingers crossed.
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-03 18:33:42
Windows 6.0.6001 Service Pack 1


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

Hi,

Please do the following:


Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
• Please copy/paste all of the C:\ComboFix.txt into this thread for further review.

ComboFix 09-07-03.03 - bob 2009-07-04 9:05.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2036.1125 [GMT 1:00]
Running from: c:\users\bob\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-04 08:12 . 2009-07-04 08:12 -------- d-----w- c:\users\bob\AppData\Local\temp
2009-07-04 07:52 . 2009-07-04 07:57 -------- d-----w- c:\windows\$regcmp$
2009-07-01 08:39 . 2009-07-01 08:39 -------- d-----w- c:\users\bob\AppData\Roaming\iExpert Software
2009-07-01 08:39 . 2009-07-01 08:48 -------- d-----w- c:\program files\Registry Clean Expert
2009-06-29 07:06 . 2009-06-30 06:19 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2009-06-26 07:35 . 2009-06-18 07:40 2052888 ----a-w- c:\programdata\Avg8\update\backup\avgcorex.dll
2009-06-19 07:59 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-06-19 07:59 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-19 07:59 . 2009-04-21 11:55 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-06-19 07:53 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll
2009-06-19 07:51 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-06-18 07:40 . 2009-06-12 08:33 3298072 ----a-w- c:\programdata\Avg8\update\backup\setup.exe
2009-06-18 07:40 . 2009-06-12 08:33 1261344 ----a-w- c:\programdata\Avg8\update\backup\avgwd.dll
2009-06-18 07:40 . 2009-06-12 08:33 829208 ----a-w- c:\programdata\Avg8\update\backup\avgcfgx.dll
2009-06-15 06:27 . 2009-06-15 06:27 -------- d-----w- c:\users\bob\AppData\Roaming\SuperAdBlocker.com
2009-06-15 06:26 . 2009-06-15 06:26 -------- d-----w- c:\windows\system32\URTTemp
2009-06-13 15:46 . 2009-06-13 15:46 -------- d-----w- c:\program files\DVD Decrypter
2009-06-13 12:14 . 2009-06-13 12:14 -------- d-----w- c:\program files\DVD Shrink(0)
2009-06-11 20:33 . 2009-06-11 20:33 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-06-11 07:01 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-11 07:01 . 2009-04-03 10:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-11 07:01 . 2008-12-18 11:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-11 07:01 . 2009-06-11 07:03 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-11 07:01 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-11 07:01 . 2009-07-04 08:12 -------- d-----w- c:\program files\Spyware Doctor
2009-06-11 07:01 . 2009-06-11 07:01 -------- d-----w- c:\users\bob\AppData\Roaming\PC Tools
2009-06-11 07:01 . 2009-06-11 07:01 -------- d-----w- c:\programdata\PC Tools
2009-06-07 08:33 . 2009-06-09 09:38 -------- d-----w- c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 08:08 . 2008-10-30 19:03 -------- d-----w- c:\program files\SpywareBlaster
2009-07-01 08:35 . 2009-04-21 17:13 -------- d-----w- c:\program files\Auslogics
2009-06-20 16:10 . 2008-08-30 19:42 -------- d-----w- c:\programdata\DVD Shrink
2009-06-20 16:08 . 2008-12-31 16:27 -------- d-----w- c:\users\bob\AppData\Roaming\dvdcss
2009-06-18 18:52 . 2008-08-31 02:53 -------- d-----w- c:\users\bob\AppData\Roaming\wsInspector
2009-06-18 07:40 . 2009-05-18 06:12 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-18 06:39 . 2009-03-25 06:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-18 06:38 . 2009-04-24 07:04 3561743 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 10:27 . 2009-03-25 06:57 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 10:27 . 2009-03-25 06:57 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-14 07:35 . 2008-12-31 16:26 -------- d-----w- c:\users\bob\AppData\Roaming\vlc
2009-06-14 07:35 . 2008-08-30 19:42 -------- d-----w- c:\program files\DVD Shrink
2009-06-12 08:33 . 2009-05-18 06:12 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-12 08:32 . 2009-05-20 07:53 1452312 ----a-w- c:\programdata\Avg8\update\backup\avgupd.dll
2009-06-07 08:36 . 2009-05-04 17:19 -------- d-----w- c:\programdata\Yahoo! Companion
2009-05-25 12:01 . 2009-05-25 12:01 89256 ----a-w- c:\windows\system32\ElbyCDIO.dll
2009-05-22 06:11 . 2009-03-09 18:08 -------- d-----w- c:\program files\McAfee
2009-05-21 15:36 . 2009-05-21 15:35 16742799 ----a-w- c:\programdata\vlc-0.9.9-win32.exe
2009-05-21 15:36 . 2009-05-21 15:35 16742799 ----a-w- c:\programdata\vlc-0.9.9-win32.exe
2009-05-18 06:12 . 2009-05-18 06:12 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-18 06:12 . 2009-05-18 06:12 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-18 06:12 . 2008-11-06 18:09 -------- d-----w- c:\programdata\Avg8
2009-04-10 11:07 . 2008-08-29 07:49 1356 ----a-w- c:\users\bob\AppData\Local\d3d9caps.dat
2009-04-08 17:29 . 2009-04-08 17:27 131072 ----a-w- c:\windows\system32\datestamp.dll
2009-04-08 17:27 . 2009-04-08 17:27 45056 ----a-r- c:\users\bob\AppData\Roaming\Microsoft\Installer\{6815FCDD-401D-481E-BA88-31B4754C2B46}\ARPPRODUCTICON.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2009-06-12 2952128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-06-17 1181576]
"BTModemProtection"="BTModemProtection.lnk" - c:\windows\System32\BTModemProtection.lnk [2009-01-18 1657]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2052876018-1554197128-2134586999-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{0602B06A-6372-499D-BEF4-6AC06F88A6BF}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{8106E98A-F4C7-4D90-B936-92FA5B5B72C8}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{A4A1EBA0-675B-431D-A8B2-CB48EB57D8DD}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [2009-06-11 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-05-18 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2009-05-18 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-05-18 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-18 298776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-09 210216]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-06-11 348752]
R3 ModemProtection;ModemProtection;c:\windows\System32\ModemProtection.sys [2005-05-15 13157]
S4 FQXPEFL;FQXPEFL;c:\users\bob\AppData\Local\Temp\FQXPEFL.exe --> c:\users\bob\AppData\Local\Temp\FQXPEFL.exe [?]
S4 HFJCDPT;HFJCDPT;c:\users\bob\AppData\Local\Temp\HFJCDPT.exe --> c:\users\bob\AppData\Local\Temp\HFJCDPT.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\pw03ouua.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/firefox
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=1665&gct=&gc=1&q=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-04 09:12
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2716)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\program files\SlySoft\AnyDVD\ADvdDiscHlp.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-07-04 9:14
ComboFix-quarantined-files.txt 2009-07-04 08:14

Pre-Run: 131,374,833,664 bytes free
Post-Run: 131,342,958,592 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
139 --- E O F --- 2009-06-27 07:09

Hi

Please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')



Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

Hello Doug. I have tried to drag fscript.txt into combofix without success. I also tried to save as but it was not on the drop down menu can you give me a direct link to fscript.txt.